This document demonstrates how to configure an IPsec tunnel from PIX
Security Appliance 7.x and later or the Adaptive Security Appliance (ASA) with
one internal network to a 2611 router that runs a crypto image. Static routes
are used for simplicity.

The information in this document is based on these software and
hardware versions:

PIX-525 with PIX Software version 7.0

Cisco 2611 router with Cisco IOS® Software Release 12.2(15)T13

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

On the PIX, the access-list and
nat 0 commands work together. When a user on the
10.1.1.0 network goes to the 10.2.2.0 network, the access list is used to
permit the 10.1.1.0 network traffic to be encrypted without Network Address
Translation (NAT). On the router, the route-map and
access-list commands are used to permit the 10.2.2.0
network traffic to be encrypted without NAT. However, when those same users go
anywhere else, they are translated to the 172.17.63.230 address through Port
Address Translation (PAT).

These are the configuration commands required on the PIX Security
Appliance in order for traffic not to run through PAT over
the tunnel, and traffic to the Internet to run through PAT

This example demonstrates how to configure the PIX using the ASDM GUI.
A PC with a browser and IP address 10.1.1.2 is connected to the inside
interface e1 of the PIX. Ensure http is enabled on the PIX.

This procedure illustrates the ASDM configuration of the Headquarters
PIX.

Connect the PC to the PIX and choose a download method.

ASDM loads the existing configuration from the PIX.

This window provides monitoring instruments and menus.

Select Configuration > Features > Interfaces
and select Add for new interfaces or Edit for
an existing configuration.

Select the security options for the inside interface.

In the NAT configuration, encrypted traffic is NAT-exempt and all
other traffic is NAT/PAT to the outside interface.

debug icmp trace—Shows whether ICMP
requests from the hosts reach the PIX. You need to add the
access-list command to permit ICMP in your
configuration in order to run this debug.

logging buffer debugging—Shows connections
being established and denied to hosts that go through the PIX. The information
is stored in the PIX log buffer and you can see the output with the
show log command.